Imagemagick security issue local install

Questions and postings pertaining to the development of ImageMagick, feature enhancements, and ImageMagick internals. ImageMagick source code and algorithms are discussed here. Usage questions which are too arcane for the normal user list should also be posted here.
Post Reply
LotusE
Posts: 10
Joined: 2014-01-26T07:14:12-07:00
Authentication code: 6789

Imagemagick security issue local install

Post by LotusE » 2016-05-04T01:06:54-07:00

Hi,

I just read about the security issue in imagemagick. I'm using the imagemagick install on a local windows system, so not a webserver.

Am I affected by this issue too or is it only if you have imagemagick on a webserver install?

Thanks in advance for the information!

Kind regards

Steve

LotusE
Posts: 10
Joined: 2014-01-26T07:14:12-07:00
Authentication code: 6789

Re: Imagemagick security issue local install

Post by LotusE » 2016-05-04T01:36:11-07:00

Just a bit more info: I use Imagemagick to process files I receive from our customers, I download these from ftp to the local system and then process them with Imagemagick locally using the imagemagick dll. Is this setup also affected?

User avatar
magick
Site Admin
Posts: 10995
Joined: 2003-05-31T11:32:55-07:00

Re: Imagemagick security issue local install

Post by magick » 2016-05-04T03:33:17-07:00

The exploit is narrow in scope. You must allow direct access to the ImageMagick utilities or API to remote users and permit them to render MVG or MSL or specify unsanitized filenames and access the HTTPS coder.

seren
Posts: 1
Joined: 2016-05-03T13:38:15-07:00
Authentication code: 1151

Re: Imagemagick security issue local install

Post by seren » 2016-05-04T10:32:35-07:00

From what I understand, yes, you would be vulnerable if a customer created a malicious file which you then downloaded and processed, providing you haven't updated your policy.xml to block the vulnerable coders.

User avatar
fmw42
Posts: 25123
Joined: 2007-07-02T17:14:51-07:00
Authentication code: 1152
Location: Sunnyvale, California, USA

Re: Imagemagick security issue local install

Post by fmw42 » 2016-05-04T10:43:21-07:00

My understanding is that (prior to 6.9.3-10 or 7.0.1-1) if you do not need to allow your users to use MVG (Magick Vector Files) for drawing, or MSL files (Magick Scripting Language) or download input images via https directly in your command lines (convert https://.../someimage ...), then add these policies to your policy.xml file. If your users need these features, then leave them out, but you are then susceptible to malicious user's attacks via these mechanisms. The Imagemagick Developers can correct me here, if I have misunderstood.

See MVG and MSL at
http://www.imagemagick.org/script/formats.php
http://www.imagemagick.org/script/magic ... aphics.php
http://www.imagemagick.org/Usage/draw/#reading
http://www.imagemagick.org/Usage/files/#read
http://www.imagemagick.org/Usage/basics/#arg_percent (regarding @filename)

User avatar
magick
Site Admin
Posts: 10995
Joined: 2003-05-31T11:32:55-07:00

Re: Imagemagick security issue local install

Post by magick » 2016-05-04T10:56:51-07:00

If you need to use MVG or MSL, upgrade to ImageMagick 6.9.3-10 or 7.0.1-1 and include this in your policy.xml file:
  • <policy domain="path" rights="none" pattern="@*" />
These versions of ImageMagick include patches to prevent the exploits in concert with the above policy statement.

Post Reply